iptables

iptables

Today I'm going to write about the (in)famous iptables, the be-all do-all of GNU/linux packet filtering de-facto standard.

Iptables is recognized to stand as one of the most used and most powerful firewall solutions around the web.

Here I'll just share some really basic rules applied to one of my little boxes:

#!/bin/bash
IPTABLES=/sbin/iptables
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe iptable_nat
modprobe iptable_mangle
modprobe ip_conntrack_ftp
modprobe ipt_LOG
modprobe ipt_state
modprobe ipt_limit
modprobe ipt_REJECT #resets everything, purge fifo
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#allow all traffic between the loopback device and the virtual (ie. VPN) devices
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i tun+ -j ACCEPT
#input traffic...
#ESTABLISHED & RELATED traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DNS, Accept DNS Server responses
$IPTABLES -A INPUT -p udp --sport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#answer pings
$IPTABLES -A INPUT -p icmp -j ACCEPT
#Allow HTTP traffic to 80 (default)
$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow 8080 web on both eth0
$IPTABLES -A INPUT -i eth0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow MySQL
$IPTABLES -A INPUT -i eth0 -p tcp --dport 3306 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow proftpd
$IPTABLES -A INPUT -i eth0 -p tcp --dport 2056 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#proftpd active ftp - Unused for now...
#$IPTABLES -A INPUT -i eth0 -p tcp --dport 49152:65534 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#log input traffic w/"IN-DROP"-keyword so you kno wtf is goin' on.
$IPTABLES -A INPUT -j LOG --log-prefix IN-DROP
#alternative: drop INPUT traffic (ie. w/o logging to save resources). - Disabled for now...
#$IPTABLES -A INPUT -j DROP
# What to do with FORWARDED Traffic?
# Drop for now...
$IPTABLES -A FORWARD -j DROP
#LOG Forwarded Traffic ?
#Disabled for now...
#$IPTABLES -A FORWARD -j LOG --log-prefix FW-DROP

 

The above rules have been designed for a router+firewall+vpn+web-server+ftp-server in mind.

The rules have also been commented and should be self-explanatory 'though feel free to ask for more info.

Senior Professional Network and Computer Systems Engineer during work hours and father when home.

Andrea strives to deliver outstanding customer service and heaps of love towards his family.

In this Ad-sponsored space, Andrea shares his quest for "ultimate" IT knowledge, meticulously brought to you in an easy to read format.

my fav iptables settings.
Rate this post

Ask me anything